Cyber Threat Flash Points

Mergers and acquisitions

Mergers and acquisitions

Corporate transactions that change your IT infrastructure and processes can create gaps in information security systems, polices, procedures and safeguards.

Mergers and acquisitions also often come with headcount reductions, activating many highly-motivated disgruntled ex-employees familiar with their organizations’ systems, processes and security measures.

A recent proposed acquisition of a technology company by a foreign organization had to be postponed indefinitely when it came under governmental scrutiny. There were concerns that certain software used by the foreign organization would expose the technology company, and potentially the wider country, to unacceptable cyber risks.

Questions to ask:

How secure is the data about this transaction? Could unauthorized persons access this sensitive information?

Does the merger or acquisition change our threat posture and introduce new potential threats?

If we are acquiring IP, have we potentially imported a cyber-vulnerability or a new cyber target?

Are we conducting due diligence into the cyber security effectiveness and cyber risk profile of our target?

Do our new employees understand the cyber culture of our organization?

Will the transaction be subject to governmental cyber concerns?

Entering new markets

Entering new markets

Different markets can impose different regulatory conditions on cyber security, which may impact the effectiveness of your operations. Cyber criminals can switch their attention to new entrants, probing for weaknesses in new infrastructure and new customer processes.

An Internet giant entering a new foreign market faced a radically different set of laws from the host government on IS censorship, privacy and confidentiality. In complying with these new standards, it caused global damage to its brand reputation. It has now shut down significant parts of its service in the new market.

Questions to ask:

Have we considered the geopolitical threats in entering this new market?

Are there different Information Security or Privacy laws in this market? Might compliance with these cause conflict with compliance in our other jurisdictions?

Will partnering with organizations in these markets introduce new cyber vulnerabilities?

New product launch

New product launch

You can waste investments in R&D if cyber criminals gain access to your IP. Even if they don’t steal your data, corrupting or copying it can irreparably damage your brand if products fail, or cheaper ‘copycat’ alternatives are launched at the same time.

A global technology firm launched a closely-guarded and much-anticipated product. Within days of launch, a ‘revolutionary’ security feature of the product was defeated by a number of global hackers who then published their methods on the internet, rendering the feature useless.

Questions to ask:

Are we prepared for cyber criminals who will attempt to delay or disrupt our launch?

Have we allocated extra cyber resource and have an incident response team on standby during the launch?

Are there any potential data leakages in the product development process that could allow threaten the success of the product or the launch?

Are any new suppliers fully compliant with our cyber culture and policies?

Front page news

Front page news

Just being well known can make you a target, and if you hit the headlines under difficult circumstances – product failure, corporate tax policy, affiliations that are unpopular, environmental incident – you can become the focus of revenge attacks.

Hackers often use public relations disruptions to target companies whose attention is focused elsewhere. Employees and shareholders can act erratically and unpredictably, straining the organization’s ability to identify and address an increased volume of threats on a variety of platforms.

Following a string of negative headlines the global oil industry has become the target of a global hacker activist group. The CEO of one of the industry majors recently went on record that his company fights off an average of 50,000 cyber attacks every day.

Questions you should ask:

Have we considered the new cyber threats we could be targeted by as a result of our recent public profile?

If we are allocating additional physical security resources in response to a recent event, should we also be increasing our cyber threat monitoring and response?

Who’s keeping everything running if we go into a cyber crisis? Do we have the capability to rapidly deploy additional cyber resource?

Major organizational change

Major organizational change

Information security relies on thoroughly robust mechanisms, total cooperation from your staff and a clear view of the risk landscape. Major organizational change can disrupt all of these. Reorganizations can disconnect and distract employees, causing them to forget or discard tested security measures and protocols.

Employees using their own mobile devices at work have led to many organizations adopting a Bring Your Own Device (BYOD) policy. However, this trend has dovetailed with an exponential increase in cyber attacks on mobile devices.

Questions to ask:

If we are introducing new technology for our staff, are they fully aware of the potential cyber risks?

How have the processes that handle and store customer information been impacted by organizational change?

If we are making significant changes to staffing levels or terms, have we considered the potential cyber threat?

If we are partnering with new organizations, how much data do we share, and how do we maintain the security of it?

Audit responsibility

Audit responsibility

Audit committees are increasingly being asked to take responsibility for assessing cyber risk to safeguard the interests of shareholders, but security measures need to avoid being too restrictive so that it negatively impacts operations and value generation.

When a major healthcare provider admitted that unencrypted personal information on over 1 million customers had been lost many months previously, significant fines were levied, with more fines pending if the lost data was misused.

Questions to ask:

When and how should an organization disclose to investors and shareholders that it has been the subject of a damaging cyber-attack?

Have we aligned our information security strategy to the organization’s risk appetite and risk tolerance?

Do we fully understand the financial consequences of a cyber attack? Have we looked beyond the immediate expenses such as direct loss and remediation expenses?

Do our technology officers understand how our cyber security approaches must flex in response to our strategic and operational policies?

Connect with us

Stay connected with us through social media, email alerts or webcasts. Or download our EY Insights app for mobile devices.

Download PDF

Contact us

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.